01-25-2007 10:26 AM - edited 02-21-2020 02:50 PM
Currently, we have VPN tunnel connected to remote office using 2 Hotbrick VPN router.
When 1 of the internal computer try to connect another client VPN server using Cisco VPN Client v4.8, it will drop/disable/loss the existing VPN tunnel between us and remote office. The tunnel is still established but no traffice between 2 site. (can't ping at all)
What causes the problem? Hotbrick issue? Cisco VPN client setting or else?
I have no idea what cause the issue. Please help. Thanks in advance.
Solved! Go to Solution.
01-27-2007 12:29 PM
Hi,
The problem is that your NAT device will not do the translation properly, and when the 2nd client fires the connections (ISAKMP packets-UDP 500) the port is not transalated, so for the ASA is like the first user is trying to log in again, so it discards the initial connection.
The trick is, as you discovered, to use UDP transaparency.
The problem is that UDP 10000 is not a standard, so you need to check if multiple users will be able to be connected in the same time behind the same NAT.
If not, use the industry standard NAT transparency (UDP 4500). This will need to be configured only on the ASA.
Please rate if this helped.
Regards,
Daniel
01-26-2007 09:09 AM
Are the hot brick being NAT'd to a public address, or do the outside interfaces have actuall public IP addresses. Also if there is NAT'ing, are the VPN clients being NAT'd to the same public IP
01-26-2007 10:05 AM
Yes, both hotbrick have NAT with public address
NET1--L_HOTBRICK --INTERNET-- R_HOTBRICK--NET2
L_HOTBRICK AND R_HOTBRICK has VPN tunnel on their public IP.
Local Server on NET2 try to use Cisco VPN Client to connect another location (not NET1 or NET2)
Whenever the Cisco VPN is established, it works fine, but cannot ping tunnel between L_HOTBRICK AND R_HOTBRICK. The tunnel is still established.
Very interesting.. but loss a lot of hair now...
01-26-2007 12:26 PM
Hmm.. somehow I get it work if I enable the IPSec over UDP and IPSec over UDP Port 10000 on the ASA5510 and check the Transparent Tunneling check box on the VPN clients. Now, both tunnels works.. any idea?
Time to find it out.. Thanks anyway.
01-27-2007 12:29 PM
Hi,
The problem is that your NAT device will not do the translation properly, and when the 2nd client fires the connections (ISAKMP packets-UDP 500) the port is not transalated, so for the ASA is like the first user is trying to log in again, so it discards the initial connection.
The trick is, as you discovered, to use UDP transaparency.
The problem is that UDP 10000 is not a standard, so you need to check if multiple users will be able to be connected in the same time behind the same NAT.
If not, use the industry standard NAT transparency (UDP 4500). This will need to be configured only on the ASA.
Please rate if this helped.
Regards,
Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: